Re: Paypal phishing - ADDL NOTES

I coincidentally have a legit PP email/notification from just a day ago.  Some things to note: LEGIT: X-Spam-DCC:www.nova53.net: app3 1207; Body=1 Fuz1=1 Fuz2=1 From:"serv...@paypal.com" To: AW Subject: You authorized a payment to ((To is actually my email address)) FAKES: X-Spam-DCC:www.n

Re: Paypal phishing?

2.5 Let me know how this works for you. -- Jared Hall ja...@jaredsec.com Available for hire. On 11/21/2024 7:57 AM, AJ Weber wrote: I saw a "conversation" a few weeks ago regarding paypal phishing emails that were not being caught. I can't recall if anyone found a

Re: [External] Paypal phishing?

3 AM, Bill Cole wrote: On 2024-11-21 at 10:45:58 UTC-0500 (Thu, 21 Nov 2024 10:45:58 -0500) AJ Weber is rumored to have said: Thanks Kevin, Have trusted KAM rules for a long time.  I assume they're still now in the main rules updates? The KAM rules are an independent rules channel that you

Re: [External] Paypal phishing?

ain a phone number to call. Side note: Any one got a good contact at the FCC? I've been wanting to talk to them so they can figure out what provider(s) are facilitating this. Regards, KAM On 11/21/2024 7:57 AM, AJ Weber wrote: I saw a "conversation" a few weeks ago regarding

Paypal phishing?

I saw a "conversation" a few weeks ago regarding paypal phishing emails that were not being caught. I can't recall if anyone found a reasonable solution (or new rules). I just received one and it seems very well crafted.  Is anyone still collecting samples and wants this one too? Thanks for

Re: missing something in new SA config

what is in the /etc/mail/spamassassin/.razor/razor-agent.conf ? debuglevel = 3 identity   = identity ignorelist = 0 listfile_catalogue = servers.catalogue.lst listfile_discovery = servers.discovery.lst listfile_nomination    = servers.nomination.lst

Re: missing something in new SA config

Thanks for the reply. SA v3.4.6 razor is installed: optional module installed: Razor2::Client::Agent, version 2.84 razor plugin is enabled in v310.pre: loadplugin Mail::SpamAssassin::Plugin::Razor2 I don't see any "logs" in the first page of the lint output. Would you be so kind as to descr

missing something in new SA config

Migrating a mailserver with SA and I see this in my log when testing: spamd[30912]: razor2: razor2 check failed: No such file or directory razor2: Can't read: /var/lib/razor/ at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/Razor2.pm line 331. My local.cf has the following: use_razor

sane max value for message size in 2023?

I realize this is very much an "it depends", but recently I'm getting a lot of messages bypassing spamc because they're a few KB over the default, 500KB limit (spamassassin 3.4.x). Can I bump this to maybe 750KB, and if so, will spamc read that from one of my .pre files, or do I have to someho

Spamhaus DQS usage portal update frequency?

Does anyone know how often the DQL usage tab is updated by spamhaus? I believe my SA was misconfigured, and didn't have anything showing for usage.  I think this is fixed now and sent test emails from their "Blocklist Tester Verification" tool.  All emails were correctly categorized as SPAM, a

Re: [Spamhaus notice] New plug-in is now available for use with Spamhaus Domain Blocklist with hostnames which goes into production on February 1st.

Sorry for not having followed as closely as maybe I should have, but... Is there a list of "legacy" Spamhaus cf/pm/plugin entries we would remove if we were to install the new DBL plug-in?  I don't see anything on the github page, but maybe it's documented elsewhere? Thanks On 1/11/2022 8:2

Re: Happy Thanksgiving and Announcing the Apache SpamAssassin Channel for the KAM Rule Set

if you are using RH based Linux distros, just put the attached configuration file under /etc/mail/spamassassin/channels.d/ Apologies for the naive question;  I'm running CentOS 7, SA 3.4.3.  I don't have that channels.d directory by default.  I've been running a more traditional cron updat

Re: Apache SpamAssassin and Spammers 1st Amendment Rights

On 11/20/2020 9:28 AM, @lbutlr wrote: A whole lot of people have decided their right to free speech means an obligation from others to listen to them. It's not just spammers, it's also racists, fascists, republicans, and god-botherers. I think you should keep politics out of this.  If I want to

Re: score sender domains with 4+ chars in TLD?

Cool.  Thanks. On 6/12/2020 11:04 AM, Kris Deugau wrote: AJ Weber wrote: I want to try adding a score for a sender whose address uses a TLD with  > 3 chars. I realize there are some legit ones, but I'm going to test it with a low score and see what it catches. Is it just someth

score sender domains with 4+ chars in TLD?

I want to try adding a score for a sender whose address uses a TLD with > 3 chars. I realize there are some legit ones, but I'm going to test it with a low score and see what it catches. Is it just something like: header   From =~   /\.\w{4,}$/ Thanks in advance. - AJ

Re: another extortion email check

Yes, noticed that as well and considered making it simple with that rule.  Probably best thing to do anyway. Thank you both. -AJ On 5/1/2020 5:08 PM, John Hardin wrote: On Fri, 1 May 2020, Loren Wilton wrote: Please help, apparently this person "knows everything about me" :) I got a rash

another extortion email check

I am seeing a number of extortion emails where the hacker has gotten my email address and an old password from "the dark web". (Probably one of many lists that are out there from one of the many mega-hacks that have occurred.) Is there a way to check for a specific 1-2 words in the body being

help with simple test?

I'm hoping this is a relatively simple test... I'm seeing emails "From Me, To Me", typically extortion types. I'm not even seeing which of the SA tests are getting hit, because I have my own email in my Whitelist. Is there a way I can check IF From = m...@staticinfo.com AND Return-Path != FR

Re: phishing by deceptive From address detection

The following header is the FROM in the message envelope. From: =?utf-8?Q?B=CC=B7B=CC=B7&T?= I'm not sure what you mean by disguise, and what you expect should have been done. I suppose you're right.  I wonder if there's a rule I could develop that goes like, [if the descriptive From is

phishing by deceptive From address detection

Just looking at a phishing email I received and at first glance I wasn't sure how SA (or more-specifically my SA install/configuration) didn't score this as spam. Looks like I have a whitelist setup for alerts from comcast (probably a bad idea, but let's address that separately). The followi

Re: Spamhaus Technology contributions to SpamAssassin

So the (probably obvious to perl folks) fix on RedHat/CentOS is: yum install perl-List-MoreUtils All is well after that! (Posting that in hopes it helps someone else in the future.) -AJ On 7/3/2019 8:47 AM, AJ Weber wrote: Trying to follow the instructions, I got the following error

Re: Spamhaus Technology contributions to SpamAssassin

Trying to follow the instructions, I got the following error: spamassassin --lint Jul  3 08:29:08.089 [26120] warn: plugin: failed to parse plugin /etc/mail/spamassassin/SH.pm: Can't locate List/MoreUtils.pm in @INC (@INC contains: lib /usr/share/perl5/vendor_perl /usr/local/lib64/perl5 /usr/l

Re: FSL_BULK_SIG tweak?

That's it. exists:List-Unsubscribe means does the email have a List-Unsubscribe header. Thank you.

FSL_BULK_SIG tweak?

I started down the rabbit hole looking to see how this rule works... Besides checking if one of the bulk mail rules hit (like DCC), it uses "72_active.cf:header   __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe" (It negates that test.) That seems logical, but how do I find the List-Unsubscribe l

Re: From name containing a spoofed email address

False Positive On 1/19/2018 2:55 PM, Jeffs Chips wrote: I am trying to follow this interesting thread - can someone tell me what "FP" means? __  "Perhaps sleep did not evolve. Perhaps it was the thing from which wakefulness emerged.” -- Matthew Walker, Sleep Scientist On Ja

Re: check utf-8 subjects/from?

On 12/13/2017 6:58 PM, Reindl Harald wrote: > There seems to be a large disparity between your (10%) result and my > (2%) result.  Can you explain how that could be? surely, from the moment you have not only english messages it looks completly different and don't forget that the corpus where i

Re: check utf-8 subjects/from?

On 12/13/2017 5:18 PM, Reindl Harald wrote: my statements are based on a decade expierinece with a lot of users from all over the world, on you personal server you can even reject anything not whitelisted, from the moment on when other peoples mailflow is affected it's no longer that easy It'

Re: check utf-8 subjects/from?

Would you be so kind as to tell me how you hacked into my mail server to determine the basis for your statements? On 12/13/2017 4:52 PM, Reindl Harald wrote: Am 13.12.2017 um 19:44 schrieb AJ Weber: Is there an easy way to check if the Subject or From is UTF-8 -- or non-ASCII -- char set

check utf-8 subjects/from?

Is there an easy way to check if the Subject or From is UTF-8 -- or non-ASCII -- char set? I see in some of my recent spam, either the Subject or the From (sometimes both) starts with "=?UTF-8?" (in these cases the rest is Base64 encoded, but I don't want to qualify on that). If I check a he

help with phishing email?

I'm trying to decide the best way to detect something like this. https://pastebin.com/hCX9MWNg Looking at the raw headers and body it's pretty easy to tell this is a spoof, but when it shows-up in an inbox, it looks pretty good. Something specific to Amazon (where this is purported to come fr

Re: NOTE: Warning to Abusers of Update Servers

The major offenders are sa-update 3.3.x and generic curl clients based on the user agent in the logs running from every minute to every 15 minutes and blindly pulling down the same rulesets over and over. My "vote" counts for very, very little, but since these clients already have the latest

Re: URIBL_BLOCKED - which one?

eshooting for DNSBL regarding how your IP address is assigned.  It just recommends that you use your own, caching DNS server.  If that is important, maybe it should be mentioned in the docs? Am 13.10.2017 um 15:20 schrieb AJ Weber: I put the following in my local.cf.  This does not work? dns_availa

Re: URIBL_BLOCKED - which one?

I put the following in my local.cf.  This does not work? dns_available yes # - REDIRECT DNS LOOKUPS TO LOCAL "unbound" service to avoid RBL bans dns_server 127.0.0.1 On 10/13/2017 8:48 AM, Reindl Harald wrote: Am 13.10.2017 um 14:40 schrieb AJ Weber: I guess this qualifies a

Re: URIBL_BLOCKED - which one?

On 10/13/2017 8:57 AM, David Jones wrote: On 10/13/2017 07:47 AM, Markus Clardy wrote: URIBL_BLOCKED is in reference to multi.uribl.com . --   - Markus To disable queries to multi.uribl.com, put this in your local.cf or equivalent in /etc/mail/spamassassin: score UR

URIBL_BLOCKED - which one?

I guess this qualifies as a newbie question...I've been running SA for a while, but haven't really dug into some of the workings... I occasionally see the URIBL_BLOCKED notice in some of my spam results.  I read the related web page, and started using unbound as a local DNS, but I'm still seei

Re: improving detection to cloudmark-like levels?

On 10/12/2017 11:33 AM, Ian Zimmerman wrote: I don't know how you got the supposition about pyzor. pyzor is completely independent of Cloudmark (unlike razor) and AFAIK pyzor scores are based on participating users' reports and nothing else. Sorry.  It is razor2 that is (or was - according to t

Re: improving detection to cloudmark-like levels?

On 10/12/2017 10:07 AM, Kevin A. McGrail wrote: On 10/12/2017 9:25 AM, AJ Weber wrote: I'm open to new rules, plug-ins, etc. Spam volume is only getting worse, and these spammers are getting more creative. Hi AJ, I have to say that 3.3.0 is pretty old.  I'd look to run a newe

improving detection to cloudmark-like levels?

OK, please, this is meant with all good intentions... I have been running SA 3.3.0 on my server for years.  Using the standard rule updates channel and "sought.rules.yerp.org".  (I don't see those updated too often, maybe I need to check on that update process.)  Also enabled:  DCC, Pyzor and

Re: rule to test "body" length?

John Hardin wrote: > > The thread subject is "Short body rules" on 11/25/2011 > Thanks for the pointer. Using the "Old Nabble1" website, there are ZERO threads/emails archived for 11/25/11. :( When I get some time, I'll see where the other archives are for this list and search there. Thank

Re: rule to test "body" length?

> Please don't top-post. Sorry. Even though I subscribed, and sent the "confirmation" email, I still don't get any of the messages in my email, so I'm posting via the "Old Nabble" web form. That doesn't allow me to automate indenting/quoting previous messages, so I will manually put >'s in fro

Re: rule to test "body" length?

BTW: To expound upon my previous "guess" at matching short messages, what's wrong with: body MY_TOO_SHORT /^.{1,100}$/ (Which I mean to check for a message where the length is < 100 chars) AJ Weber wrote: > > Didn't find it, but I'll keep looking. While s

Re: rule to test "body" length?

SA wiki, but it doesn't seem "enough". Thanks for the reply, AJ John Hardin wrote: > > On Fri, 6 Jan 2012, AJ Weber wrote: > >> Is there a way to check if the body of an email is less than some >> threshold >> (length of chars)? > > Check the archives

rule to test "body" length?

Is there a way to check if the body of an email is less than some threshold (length of chars)? I'm seeing some spam slip through because it's purposely too short to hit a lot of rules, and too short for DCC and other networked systems to get a "fingerprint" on. For example: Any body where len <

Re: razor2 and cloudmark?

s their windows desktop product. Guess I'll go add-in DCC as well (Pyzor already also included). Thanks for the response. -AJ Kevin A. McGrail wrote: > > On 1/5/2012 8:49 AM, AJ Weber wrote: >> Yes, I still have other rules enabled. I have found the Cloudmark >> product t

Re: razor2 and cloudmark?

ly, AJ Martin Hepworth-2 wrote: > > Of course razor2 checks only provide part of the score to SA , have you > checked the other rules fired on that email and the nothing else is > marking > the score down? > > Martin > > On Thursday, 5 January 2012, AJ Weber wrote: &

razor2 and cloudmark?

I am testing the Razor2 plugin and am surprised that some "obvious" spam is getting through. The reason I'm most surprised is that the SA install (3.3.1) seems to be checking the message with Razor2 and passing it. However, I have "Cloudmark Desktop One" running on my PC, and when the message ge